Carving tools help you recover deleted files

PhotoRec

If the filesystem is not completely destroyed, tools that evaluate the filesystem provide an important alternative to tools such as Foremost and Scalpel. The PhotoRec [5] recovery tool was developed by Christophe Grenier to rescue photos from corrupt Flash memory. PhotoRec will also work if the partition table is damaged.

Once PhotoRec has identified the filesystem, it extracts an enormous variety of file types. In addition to photo files, PhotoRec also restores EXE or ZIP files.

All told, the tool supports more than 180 file types. The program is controlled by means of a practical text menu, which reduces the danger of user errors. Unfortunately, PhotoRec cannot current analyze RAM dumps or swap files.

Memory Hook

File carvers help forensic investigators extract deleted files. Foremost and Scalpel ignore the filesystem and can even restore data from RAM dumps and swap files. Their speed is quite amazing.

If the filesystem still exists, a tool such as PhotoRec is also useful for finding lost files.

Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.